OpenVPN client cannot route to LAN

09-23-2005, 02:46 PM

I'm have problems configuring OpenVPN.

While my WinXP box (in a test DMZ area, 192.168.1.15) can connect to my
Debian (Sarge) server on my LAN (10.42.42.146), I cannot access other
servers on the LAN. (Which, of course, is the whole purpose.)

I can ping over the VPN to the server (10.42.5.1), but I cannot ping to
other internal boxes (e.g. 10.42.42.20, which is pingable within my
LAN).

Since an initial connection and a direct ping work just fine, I belive
my firewall is directing 192.1.68.1.75 UDP:1194 to 10.42.42.146 just
fine.

I have executed the following on Debian server, which should allow for
packet forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT

Any thoughts?

- Steve

server.conf:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.42.5.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.42.42.0 255.255.255.0"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3

client.conf:
client
dev tun
proto udp
remote 192.168.1.75 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3

C:\>netstat -rn

Route Table
================================================== =========================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 ff 70 6c 63 de ...... TAP-Win32 Adapter V8 - Packet Scheduler
Miniport

0x10004 ...00 0a e6 42 22 32 ...... SiS 900-Based PCI Fast Ethernet
Adapter - Vi
rtual Machine Network Services Driver
================================================== =========================
================================================== =========================
Active Routes:
Network Destination Netmask Gateway Interface
Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.15
20
10.42.5.1 255.255.255.255 10.42.5.5 10.42.5.6
1
10.42.5.4 255.255.255.252 10.42.5.6 10.42.5.6
30
10.42.5.6 255.255.255.255 127.0.0.1 127.0.0.1
30
10.42.42.0 255.255.255.0 10.42.5.5 10.42.5.6
1
10.255.255.255 255.255.255.255 10.42.5.6 10.42.5.6
30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
1
192.168.1.0 255.255.255.0 192.168.1.15 192.168.1.15
20
192.168.1.15 255.255.255.255 127.0.0.1 127.0.0.1
20
192.168.1.255 255.255.255.255 192.168.1.15 192.168.1.15
20
224.0.0.0 240.0.0.0 10.42.5.6 10.42.5.6
30
224.0.0.0 240.0.0.0 192.168.1.15 192.168.1.15
20
255.255.255.255 255.255.255.255 10.42.5.6 10.42.5.6
1
255.255.255.255 255.255.255.255 192.168.1.15 192.168.1.15
1
Default Gateway: 192.168.1.1
================================================== =========================
Persistent Routes:
None

09-23-2005, 04:31 PM

(E-Mail Removed) wrote:

> I'm have problems configuring OpenVPN.
>
> While my WinXP box (in a test DMZ area, 192.168.1.15) can connect to my
> Debian (Sarge) server on my LAN (10.42.42.146), I cannot access other
> servers on the LAN. (Which, of course, is the whole purpose.)
>

Do the other servers know the route to the XP system? If your VPN
terminates on a server and not the firewall, that's likely the problem. My
VPN terminates on my firewall, so any computer on my lan sends data for the
remote computer to the default gateway, which is my firewall. It sorts out
the stuff for the VPN. There are two solutions to your problem. Add a
routing entry for the VPN systems to the routes or use proxy arp on the
server where your VPN terminates.

09-29-2005, 08:36 PM

Yup! Route back to the client. I'll have to integerate the VPN
through my gateway to make this work the way I want to.

Thanks for steering me in the right direction!

- Steve

James Knott wrote:
> (E-Mail Removed) wrote:
>
> > I'm have problems configuring OpenVPN.
> >
> > While my WinXP box (in a test DMZ area, 192.168.1.15) can connect to my
> > Debian (Sarge) server on my LAN (10.42.42.146), I cannot access other
> > servers on the LAN. (Which, of course, is the whole purpose.)
> >
>
> Do the other servers know the route to the XP system? If your VPN
> terminates on a server and not the firewall, that's likely the problem. My
> VPN terminates on my firewall, so any computer on my lan sends data for the
> remote computer to the default gateway, which is my firewall. It sorts out
> the stuff for the VPN. There are two solutions to your problem. Add a
> routing entry for the VPN systems to the routes or use proxy arp on the
> server where your VPN terminates.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
OpenVPN and Traffic Shaping per client	Diaphragm	Linux Networking	1	05-09-2008 09:24 AM
OpenVPN working between client and server only, but not able to access any machines in server subnet	GS	Linux Networking	10	12-06-2006 10:48 AM
OpenVPN server to client	paulo@clipinfor.com	Linux Networking	1	11-14-2006 12:24 PM
Installed openVPN, client fails when it asks for password	GS	Linux Networking	4	10-08-2006 09:40 PM
VPN client adds wrong route to local route table	snowdog_2112	Windows Networking	7	11-01-2005 02:05 PM